CSS 111 - Introduction to Information System Security

Chapter 12, Information Security Maintenance

Objectives:

This lesson discusses maintaining a security program. Objectives important to this lesson:

  1. Ongoing maintenance
  2. Management models
  3. Monitoring the environment
Concepts:
Chapter 12

Chapter 12 closes the book, and discusses maintaining your IT security system and program once they are installed. The author points out that protection must be dynamic and fluid because threats, exploits, and risks are always changing and new ones are always emerging.

On page 511, the text has a list of seven events that may require a reaction or a change in a security program:

  • adding or removing assets
  • discovery of new vulnerabilities
  • changes in priorities
  • changes in partnerships (the text shows this as two bullets)
  • loss of skilled personnel
  • new personnel

The point in the text is that any or all of these events may occur while you are standing up your security program, which should lead you to start a cycle of reexamination and improvement. The text should point out that these events take place constantly, so staff who work in IT security should be watching for them. When these and other changes take place, IT security staff should take the actions that are required, whether those actions are to make improvements or to rebuild entire solutions.

The text spends the next twenty four pages discussing the application of a security management model from the NIST. Refer to the thirteen point list on page 575 (in the chapter review) to see an overview of this model. It is probably never used in its entirety.

Many organizations are very compartmented, and the interests of the security division may be addressed by mandated interactions between it and other departments, rather than by direct oversight. For instance, it seems very appropriate that the head of the security division should be involved in information security governance, security planning, and risk management. It seems less likely that such a person would be involved in system development, except for systems the security staff own or use. Security awareness and training? Sure. Capital planning and investment control? Not really, except to make proposals for spending in the security division. I think the author may have inserted this section on managing security simply because he had not used it yet in this book. It is useful background about things a company might do, but it does not fit in the chapter as well as we might like. Be aware that several of these concerns may fall under other organizational banners, for reasons that have to do with organizational structure, money and staffing, or both.

On page 536, the author returns to the topic of the chapter. He presents a list of five subject areas that all fit in the larger concept of security maintenance. Then the headings on the sections that follow make it difficult to know which pages are about which subject area.

  • external monitoring (page 536) - We must watch for attacks that originate outside our organization, but this topic covers more than that; we must develop a network of sources to learn about possible threats, agents, vulnerabilities, and so on. The text recommends:
    • vendor sites, announcements, and patches
    • CERT (Computer Emergency Response Team) which sounds like one source, but nations, states, and organizations can each have their own CERT that can be a source of news, warnings, and remedial procedures
    • blog sites, public information and reference sites, trusted information sites
  • internal monitoring (page 541) - We should keep an inventory of our assets, monitor what they are used for, and monitor their performance. This subject area includes inventories, baselines, and intrusion detection and prevention.
  • planning and risk assessment (page 544) - We need to audit new projects and installed systems to make recommendations or requirements for making them more secure. We might have security policies in place, for example, that call for an audit of each new server to determine whether it meets our company's standards for secure operation. This subject area includes determining risks whenever our environment changes.
  • vulnerability assessment and remediation (page 550) - This subject area includes determining vulnerabilities, recommending or requiring remediation, and penetration testing to measure the effectiveness of our safeguards. This subject area and the previous one may be grouped together.
  • readiness and review (page 562) - We can consider this subject area the quality improvement aspect of our security program. It includes reviews of the entire program, reviews of policies, and practice exercises to test our ability to use our solutions. We might practice the same scenarios used in penetration testing, but in this area we can tell the staff who are meant to react what they should be doing, to test new and old methods, and to look for areas to improve.

The chapter concludes with a discussion of forensics, gathering and preserving evidence when there is suspected wrongdoing.

A forensic investigation is typically one that concerns a crime. This section is about computer forensics, investigations into crimes that involve computers and other information system equipment. The text discusses five aspects of an investigation:

  • secure the scene and determine what items are evidence - The team mentioned in the text may be called an Incident Response Team  a Forensics Response Team, a Digital Forensics Team, or another title that means the same thing. They are responsible for taking possession of devices that might hold any data that might contain evidence of the crime being investigated.
  • acquire and preserve the evidence - This aspect is closely related to the first, in that the response team may have to take images of data in RAM that would be lost if not recorded before the power is turned off.
  • establish (and maintain) the chain of custody - There must be a continuous documentation of who has had access to seized devices and data, who has done what with it, and who it is turned over to at each change in custody.
  • examine for evidence - Although the other discussions have used the word "evidence" several times, this one brings up the point that not everything you find is actually evidence. At this stage, only things that indicate or prove a crime was committed can be considered as evidence that will be presented in court.
  • report to proper authority - the proper authority will always include the people you work for, and may include police or court officers, depending on the type of investigation


Assignment 1: Chapter 12 Review Questions

  1. Answer the following review questions for chapter 12, which start of page 575: 3. 8, 9, 15, and 20.
  2. Turn in your answers on Blackboard or an email to me, saved in a doc or docx file.